Bug 2889 - PGP encrypted and signed messages are not packaged correctly
Summary: PGP encrypted and signed messages are not packaged correctly
Status: VERIFIED INVALID
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Plugins/Privacy/PGP (show other bugs)
Version: 3.9.0
Hardware: PC Linux
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2013-03-07 05:59 UTC by Christopher Head
Modified: 2013-03-08 08:49 UTC (History)
0 users

See Also:


Attachments

Description Christopher Head 2013-03-07 05:59:54 UTC
I sent a message to someone, marked as encrypted and signed. That person reported that it appeared as encrypted, but not signed. I tracked down why.

Claws-Mail, when told to both encrypt and sign a message with PGP, takes the message, signs it, takes the whole resulting package, and encrypts it. For PGP/Inline, this results in an armoured clearsign wrapped inside an armoured encrypt. For PGP/Mime, this results in a multipart/signed wrapped inside an armoured encrypt wrapped inside a multipart/encrypted. Thus it is necessary to run the armoured blob through "gpg -d" twice, once to decrypt and once to verify the signature.

Other systems (in this case Enigmail for Thunderbird) just take the original message and invoke GnuPG once, telling it to simultaneously both sign and encrypt (i.e. the equivalent to "gpg -e -s"). For PGP/Inline, this results in a single armoured blob which, when passed (once!) to "gpg -d", gives back the original message along with a signature verification result. For PGP/Mime, this results in a multipart/encrypted, whose encrypted part is an armoured blob; running this through "gpg -d" (once!) results in a signature verification result along with a multipart/mixed with one part, a text/plain.
Comment 1 Paul 2013-03-07 11:13:34 UTC
This is not a bug. Claws Mail uses the Encapsulation method (see RFCs 1847 and 3156). I believe that although previously  Enigmail did not support Encapsulation, this was fixed in more recent versions of Enigmail.)

Note You need to log in before you can comment on or make changes to this bug.